Report 2018-611 Recommendation Responses
Report 2018-611: Gaps in Oversight Contribute to Weaknesses in the State's Information Security (Release Date: July 2019)
Recommendation for Legislative Action
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require all nonreporting entities to confidentially submit certifications of their compliance with their adopted standards to the Assembly Privacy and Consumer Protection Committee and, if applicable, to confidentially submit corrective action plans to address any outstanding deficiencies.
Description of Legislative Action
AB 2135 (Irwin, 2021) would require nonreporting state agencies to certify to the President pro Tempore of the Senate and the Speaker of the Assembly annually by February 1 that the agency is in compliance with all adopted policies, standards, and procedures and to include a plan of action and milestones, as specified. This bill would require that the certification be kept confidential and not be disclosed, except that the information and records would be allowed to be shared, maintaining a chain of custody, with the members of the Legislature and legislative employees, at the discretion of the President pro Tempore of the Senate or the Speaker of the Assembly. As of September 14, 2022, this bill passed the Legislature and has been submitted to the Governor for signature.
- Legislative Action Current As-of: September 2022
California State Auditor's Assessment of Status: Legislation Introduced
As of September 14, 2022, AB 2135 (Irwin, 2021) passed the Legislature and has been submitted to the Governor for signature.
Description of Legislative Action
AB 809 (Irwin) would require state agencies not subject to the authority of the Department of Technology to certify, by February 1, annually, to the Assembly Committee on Privacy and Consumer Protection that the agency is in compliance with all adopted policies, standards, and procedures and include a corrective action plan to address any outstanding deficiencies, the estimated dates of compliance, and any additional resources it requires in order to cure each deficiency. The bill would require that the certification be kept confidential and not be disclosed, except that the information and records would be allowed to be shared with the members of the Legislature and legislative employees, at the discretion of the chairperson of the committee.
- Legislative Action Current As-of: July 2021
California State Auditor's Assessment of Status: Legislation Introduced
Description of Legislative Action
AB 2669 would require state agencies not subject to the authority of the Department of Technology to certify, by February 1, annually, to the Assembly Committee on Privacy and Consumer Protection that the agency is in compliance with all adopted policies, standards, and procedures and include a corrective action plan to address any outstanding deficiencies, the estimated dates of compliance, and any additional resources it requires in order to cure each deficiency.
- Legislative Action Current As-of: July 2020
California State Auditor's Assessment of Status: Legislation Introduced
Description of Legislative Action
As of January 2020, the Legislature has not taken action to address this specific recommendation.
- Legislative Action Current As-of: January 2020